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U.S. Department of Justice 

United States Attorney 
Southern District of New York 

The Silvio J. Mollo Building 
One Saint Andrew's Plaza 
New York, New York 10007 


September 28, 2018 


BY HAND 


Sabrina Shroff Esq. 

Matthew Larsen, Esq. 

Federal Defenders of New York 
52 Duane Street 
New York, NY 10007 



Re: United States v. Joshua Schulte , 

SI 17 Cr. 548 (PAC) 


Dear Counsel: 

Pursuant to our obligations under Brady v. Maryland, 373 U.S. 83 (1963), and its 
progeny, we write to provide you with the following information. In addition, because this 
information is also relevant to search warrant affidavits related to searches .of the defendant’s 
apartment and email account, we are identifying portions of the affidavits to which this 
information relates. For ease of reference, the Government has identified, and, where 
appropriate, underlined, the parts of the affidavits that are impacted by this disclosure. This 
letter and the information contained herein are classified as “SECRET/NOFORN” pending 
further classification review, and are being provided to you pursuant to the Classified 
Information Protective Order (the “CIPO”) entered by the Court. The Government also reserves 
the right to supplement or modify any of the information relayed in this letter. 

As you are aware, as part of its discovery production to the defense, the Government has 
produced several search warrants and supporting documentation. The search warrant production 
included, among other things, (a) a March 13, 2017 search warrant related to the search of the 
defendant’s apartment and the supporting affidavit executed by Special Agent Jeff D. Donaldson 
(the “March 13, 2017 Affidavit”); and (b) a May 17, 2017 search warrant related to the search of 
the defendant’s Gmail account and the supporting affidavit executed by Special Agent 
Donaldson (the “May 17, 2017 Affidavit,” and together with the March 13, 2017 Affidavit, the 
“Affidavits”). After the Affidavits were sworn out during an early part of the investigation, 
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WikiLeaks continued to post online leaked classified information that purported to originate in 
the Central Intelligence Agency (the “CIA”). 

1. The March 13. 2017 Affidavit 

With respect to the March 13, 2017 Affidavit, the Government notes the following: 


Affidavit Citation 

Language in Affidavit ** 

Note 

Pg. 548(b) 

Pg. 8 Heading D 

Pg. 9,112 

“(Moreover, as described in 
detail below, only three of 
those approximately 200 
people who worked for the 

CIA Group had access to the 
specific portion of the 

Group’s computer network on 
which the Classified 

Information was likely 
stored.)” 

“D. TARGET SUBJECT 
JOSHUA ADAM SCHULTE 
was One of Only Three 
Employees Across the Entire 
CIA Who, in March 2016, 

Had Been Given System 
Administrator Access to the 
Back-up Server.” 

“I know, based on my 
conversations with other law 
enforcement agents and 
others, in approximate March 
2016—the month when the 
Classified Information is 
assessed to have been 
coDied—only three CIA 
employees were designated 
System Administrators with 
access to the CIA Group’s 
Back-Up Server.” 

Based on further 
investigation, the 

Government notes that, in or 
about March of 2016, at least 
five of the 200 employees of 
the CIA Group had access to 
the specific portion of the 
Group’s computer network on 
which the Classified 

Information was likely stored. 

Schulte was not himself an 
administrator of the Back-Up 
Server. However, Schulte 
was one of the System 
Administrators who had 
access to the volume within 
the Back-up Server that 
stored the backups. 


Sjf,: 
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Pg. 9,112(a) 

‘TARGET SUBJECT 

JOSHUA ADAM SCHULTE 
(‘SCHULTE’) was one of the 
three System 

Administrators.” 


Pg. 9,112(b) 

“As described above, in 

March 2016, SCHULTE was 
one of only three CIA 
employees throughout the 
entire CIA who had 
authorized access to the 

CIA’s Group’s Back-Up 

Server from which the 

Classified Information was 
likely copied.” 


Pg. 10,1 12(b)(iii) 

“Thus, SCHULTE was the 
only one of the three Systems 
Administrators with access to 
the Classified Information on 
the Back-Up Server who was 
not publicly identified via 
WikiLeaks publication of the 
Classified Information.” 


Pg. 10,112(c) 

“The other two individuals 
who served in March 2016 as 
Systems Administrators for 
the CIA Group’s LAN remain 
employed by the CIA. 
SCHULTE resigned from the 
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CIA in November 2016, as 
described in detail below.” 


Pg. 11,If 13(d) 


“As described above, in 
March 2016, only two CIA 
employees in addition to 
SCHULTE were designated 
Systems Administrators with 
access to the CIA Group’s 
Back-Up Server from which 
the Classified Information 
was likely copied.” 


“On March 7 and 8, 2016, the 


Pg. 11, n.5 


third of the three CIA 


Pg. 5,1f8(c)(i) 


Pg. 5, If 8(c)© 


employees with Systems 
Administrator access was 
located at a CIA facility that 
did, in feet, have access to the 
Back-Up Server from which 
the Classified Information 
was likely copied.” 

“The Classified Information 
appears to have been stolen 
from the CIA Component 

sometime between the night 

of March 7. 2016 and the 

night of March 8. 2016. ” 

“Because for the reasons 
described below (see infra 
Part C.10), the Classified 
Information was apparently 
copied from an automated 
daily back-up file, it is likely 


The March 13, 2017 Affidavit 
disclosed that the analysis as 
to when the Classified 
Information was illegally 
copied from the LAN was 
preliminary, and that the 
information could have been 
copied after March 8, 2017. 
See March 13, 2017 
Affidavit, p. 5, n.l. 

Since the March 13, 2017 
Affidavit was sworn out, 
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that the Classified 

WikiLeaks has made public 


Information was copied either 

additional classified 


late on March 7. 2016 (after 

information purporting to be 


the March 7 nightly back-up 

from the CIA Group on 


was completed) or on March 

several occasions, including 


8,2016 (before the March 8 

as recently as November 


nightly back-up was 

2017. These additional leaks 


completed.” 

have provided further 
information about the nature 
of the information disclosed 
by WikiLeaks, including the 

Pg. 8, HI 0(e) 

“As described above (see 

locations on the LAN where 


supra Part II.A.8.c), because 

the information was stored 


the most recent timestamp 

and the date of the 


associated with the Classified 

Information appears to be 

information. 


March 7, 2016. it is likely 

Through further investigation. 


that the Classified 

the Government has learned 


Information was copied from 

that - in fact - the Classified 


the Back-up Server after the 

Information was illegally 


daily back-up on March 7, 

accessed on or about April 


2016.” 

20,2016. In addition, further 
analysis of the leak shows 


“The Classified Information 

that the last timestamp of the 

Pg. 64 8(d) 

was publicly released by 

Classified Information is on 


WikiLeaks exactly one year 
to the day (March 7, 2017) 
from the latest date associated 
with the Classified 

Information (March 7, 

2016).” 

or about March 2, 2016. 

Pg. 10413 

“As described above (see 
supra Part II.C. 10), it appears 
likely that the Classified 
Information was copied 
between March 7 and March 

8, 2016.” 
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Pg. 548(c)© 

Pg. 8410(a) 

“Because, for the reasons 
described below (see infra 

Part C.10), the Classified 
Information was apparently 
copied from an automated 
daily back-up file ... .” 

“Approximately each day, an 
automated process would 
back-up data to the Back-Up 
Server.” 

An automated script was used 
to back up files to the Backup 
Server. The script, however, 
had to be manually initiated. 

Pg. 8-9411 

“Based on my conversations 

As the March 13, 2017 


with other law enforcement 

Affidavit discloses, it was 


agents and others, my review 

possible for an employee who 


of documents, and my 

was not designated a 


training and experience, I 

“Systems Administrator” to 


know that the CIA Group’s 

access the Back-Up Server. 


LAN was designed such that 

See March 13,2017 


onlv those emplovees who 

Affidavit, p. 9 n.4. 


were specifically given a 

The Back-Up Server itself 


particular type of systems- 

required login credentials. 


administrator access 

Since log data going back to 


(“Svstem Administrators”) 

the relevant time period is no 


could access the Back-Up 

longer available, however, it 


Server.” 

could not be determined 
whether or not users beyond 
those designated as System 
Administrators were able to 
access the backups. . The 
Government notes that the 

Page 9, If 11(a) 

“System Administrators were 

Group’s LAN was structured 


given a particular username 

such that specific employees 


and password in order to log 

were tasked with knowing 


on to and access the Back-Up 

how to access and maintain 


Server.” 

the Backup Server. 
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Pg. 10,1 12(b)(2) 

“SCHULTE’s name, on the 
other hand, was not 
apparently published in the 
Classified Information.” 

The username used by the 
defendant to access the LAN 
was published by WikiLeaks. 

Pg. 12,114 

“Based on my conversations 
with other law enforcement 
agents and others, and my 
review of documents, I 
understand that, on or about 
April 4, 2016, around the 
time of his reassignment to 
another branch within the 

CIA Group, many of 
SCHULTE’s administrator 

privileges on the LAN were 

revoked and he was no longer 

permitted to serve as a 

Systems Administrator in the 

CIA Group’s LAN.” 

Employees with the CIA 

Group officially attempted to 
remove the defendant’s 
system administrator rights 
on or about April 16, 2016. 

Pg. 12,114(a) 

“At the same time, on or 
about April 4, 2016, 
SCHULTE’s computer access 

to a specific developmental 

project (“Project-1”) was also 

revoked. Until his 
reassignment SCHULTE had 
been the CIA Group 
employee with principal 
responsibility for Project-1.” 

On or about April 4, 2016, 
Schulte’s administrator 
access to Project-1 and 
another project (“Project-2”) 
was revoked. Schulte 
retained read access to these 
projects after this date. 

Pg. 12,115 

“Based on my conversations 
with other law enforcement 
agents and others, and my 
review of documents, I 
understand that, less than two 
weeks later, on or about April 
11.2016, SCHULTE 
unilaterally, and without 
authorization, logged onto the 
CIA Group’s LAN and 

On or about April 14, 2016, 
Schulte unilaterally, and 
without authorization, logged 
onto the CIA Group’s LAN 
and reinstated his access 
privileges to Project-2. 
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reinstated his own 
administrator privileges.” 


2. The May 17. 2017 Affidavit 

With respect to the May 17, 2017 Affidavit, the Government notes the following: 


Affidavit Citation 

Language in Affidavit 

Note 

Pg. 12,115(d) 

“Based on a preliminary 
analysis of the timestamps 
associated with the latest (or 
most recent) creation or 
modification date associated 
with the Classified 

Information, it appears that 
the Classified Information 
was copied from the LAN in 

or about March 2016.” 

As noted above, the 
Government’s further 
investigation has revealed 
that the Classified 

Information was illegally 
copied on or about April 20, 
2016. The latest timestamp 
of the information illegally 
copied and disclosed by 
WikiLeaks was in early 

March 2016. 

Pg. 13,116(b) 

“As part of his 

responsibilities with the CIA 
Group, in or about March and 
early April 2016, SCHULTE 
was one of three system 
administrators for the LAN.” 

The May 17, 2017 Affidavit 
notes that the analysis of 
which CIA employees had 
access to the Classified 
Information - including users 
who had so-called “super- 
user” access - was ongoing 
and subject to modification. 

See May 17, 2017 Affidavit, 
p. 13 n.5. 

Page 13,116(c) 

“These three systems 
administrators also had 
‘super-user’ access to the 

LAN, which allowed them 
broader access to programs, 
files, and servers.” 

Based on Luther 
investigation, the 

Government notes that at 
least five of the 200 
employees of the CIA Group 
had access to the specific 
portion of the Group’s 
computer network on which 
the Classified Information 
was likely stored. 


USG-CONFIDENTIAL 















Case l:17-cr-00548-PAC Document 111-6 Filed 07/03/19 Page 10 of 12 


Sabrina Shroff Esq. 
September 28, 2018 
Page 9 


Page 14, If 17(c) 

“The other two individuals 
who served in March 2016 as 
systems administrators for the 
CIA Group’s LAN remain 
employed by the CIA. 
SCHULTE resigned from the 
CIA in November 2016, as 
described in detail below.” 


Pg. 17, If 23(a) 

“On or about April j_J_, 2016, 
approximately one week 
later, SCHULTE unilaterally, 
and without authorization, 
logged onto the CIA Group’s 
LAN and reinstated his own 
administrator privileges.” 

On or about April 14,2016, 
SCHULTE, unilaterally and 
without authorization, logged 
onto the LAN and reinstated 
his privileges to Project-2. 

Pg. 19, If 25 

“Based on my review of the 
Google Searches, I 
understand that on or about 
April 15,2016, SCHULTE 
conducted the following 

Google Search relating 
specifically to software 
running on the CIA Group’s 
LAN: ‘[] admin view 
restricted pages.’ After 
conducting the search, 
SCHULTE visited websites 
that related to wavs to restrict 

the ability of even other 

The Google Search and 
websites referred to in this 
paragraph could pertain to 
access restrictions that had 
been put in place. 


Svstems Administrators to 

view aspects of the LAN. 

(SCHULTE conducted the 
same search again thirteen 
days later, on or about April 

28, 2016.) 


Pg. 20-214 27(d) 

“On or about April 28, 2016, 
SCHULTE again conducted a 

The April 15, 2016 Google 
Search referred to in this 
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Google Search relating 
specifically to software 
running on the CIA’s Group’s 
LAN: “[] admin view 
restricted pages,” which was 
identical to the Search, 
described above, he 
conducted on April 15,2016, 
four days after restoring his 
own administrator access to 
that very software program 
without authorization.” 

paragraph occurred one day 
after the defendant restored 
his access to Project-2. 

Pg. 23,1| 29(c) 

“Starting two days later, May 

6, 2016, and again on May 8, 
2016, SCHULTE conducted 
multiple Google searches 
apparently designed to 
research anonymous 
transmission of data on the 
Internet, through the use of 
so-called ‘private trackers,’ 
which are non-public Internet 
sites set up to privately 
transfer large quantities of 
data from one computer to 
another, as well as through 
‘The Onion Router’ or 
‘TOR,’ which allows for 
anonymous communications 
on the Internet via a 
worldwide network of linked 
computer servers, and 
multiple layers of data 
encryption.” 

“Private trackers” are non¬ 
public Internet files that 
provide/lac ilitate access to 
“torrents,” which facilitate 
peer-to-peer transfer of files. 
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As noted, the Government’s investigation is ongoing, and it reserves the right to 
supplement or modify this disclosure. Should you have any questions, please do not hesitate to 
contact us. 


Sincerely, 

GEOFFREY S. BERMAN 
United States Attorney 


By:_/s/__ 

Matthew Laroche/Sidhardha Kamaraju 
Assistant United States Attorney 
Tel: (212)637-2040/6523 
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